diff --git a/ChangeLog b/ChangeLog index 60ec9cbc..53e2e705 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,9 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger * Per-distribution paths to the exim's main log * Ignored IPs are no longer banned when being restored from persistent database + * Catch also failed logins via secured (imaps/pop3s) for cyrus-imap. + Regression was introduced while strengthening failregex in 0.8.11 (bd175f) + Debian bug #755173 - New features: - Added monit filter thanks Jason H Martin. diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf index 3560234e..f8bee060 100644 --- a/config/filter.d/cyrus-imap.conf +++ b/config/filter.d/cyrus-imap.conf @@ -11,7 +11,7 @@ before = common.conf [Definition] -_daemon = (?:cyrus/)?(?:imapd?|pop3d?) +_daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?) failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$ diff --git a/fail2ban/tests/files/logs/cyrus-imap b/fail2ban/tests/files/logs/cyrus-imap index 9bf271f6..c46cb1ee 100644 --- a/fail2ban/tests/files/logs/cyrus-imap +++ b/fail2ban/tests/files/logs/cyrus-imap @@ -1,5 +1,7 @@ # failJSON: { "time": "2005-01-04T21:51:05", "match": true , "host": "127.0.0.1" } Jan 4 21:51:05 hostname cyrus/imap[5355]: badlogin: localhost.localdomain [127.0.0.1] plaintext cyrus@localdomain SASL(-13): authentication failure: checkpass failed +# failJSON: { "time": "2005-01-04T21:51:05", "match": true , "host": "127.0.0.1", "desc": "For secure imaps" } +Jan 4 21:51:05 hostname cyrus/imaps[5355]: badlogin: localhost.localdomain [127.0.0.1] plaintext cyrus@localdomain SASL(-13): authentication failure: checkpass failed # failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "198.51.100.23" } Feb 20 17:23:32 domain cyrus/pop3[18635]: badlogin: localhost [198.51.100.23] plaintext administrator SASL(-13): authentication failure: checkpass failed # failJSON: { "time": "2005-02-20T17:23:32", "match": true , "host": "1.2.3.4" }